Archive for the ‘Global standards’ Category

10 Feb 2017

Privacy Tech-Know Blog: The actual privacy benefits of virtual private networks


Virtual Private Networks (VPNs) let you establish a secure communications channel between your computing device and a server. After connecting to the server, you could gain access to a private network that has work files or applications, or use the server as a relay point to then access Internet content when browsing from a public network.

There are several reasons for using a VPN: you might need to remotely access information held on corporate servers while travelling or working from home; you might be wary of the insecure wireless networks you’re using; or you might want to access online content that’s blocked on the network you’re connected to but is accessible from the server somewhere else. Sometimes a company will require you to use a VPN, meaning the company will dictate the security and type of VPN you use (for example, your employer). Whereas when you make a consumer decision to use a VPN you’re responsible for making these decisions on your own.

In the wake of Edward Snowden’s revelations, a large number of consumer VPN providers have sprung up, and security experts now often suggest that you use a VPN when accessing the Internet from an insecure network (e.g., a café, public library, or other free Wi-Fi hotspot). This blog post will help you understand what to look for when choosing between different VPN services.

Read the rest of this entry »


19 Sep 2016

Children’s Privacy Sweep yields positive changes


So whatever happened with that Children’s Privacy Sweep, you ask?

Before we delve into the results of the 2016 Internet of Things Sweep—look out for them very soon—we thought we should update you on the outcome of our discussions with developers behind the mobile applications (apps) and websites we raised concerns about in a blog post and/or letters issued last fall.

Read the rest of this entry »


2 Sep 2015

Child sweepers share observations on web/mobile app privacy


Commissioner Daniel Therrien visits with children during Kids Privacy Sweep.

Privacy Commissioner of Canada Daniel Therrien pops in on Global Privacy Enforcement Network Children’s Privacy Sweep where a few kids are on hand to help.

A children’s privacy sweep with no children? In the words of cartoon curmudgeon Charlie Brown, “good grief!”

. . . and that was roughly genesis of the Office of the Privacy Commissioner of Canada’s (OPC) first ever Kid’s Sweep.

Nine youngsters, the offspring of OPC employees who also participated in the Sweep, descended on 30 rue Victoria one early May morning during International Sweep Week.

Fuelled on promises of pizza and cookies, the seven to 13-year-old boys and girls parked themselves in front of the laptop or tablet of their choice. Their job? To interact with their favorite apps and websites, thus recreating the user experience under the watchful gaze of their parents who took notes on how they navigated the privacy settings, or lack thereof, as the case happened to be for some sites.

The following is an edited transcript of what the kids, and their parents, had to say during a post-Sweep debrief before the smell of hot cheese and pepperoni wafted into the room and snatched their attention.

Did you have fun?

“Yeaaah!” (Kids shout in unison.)

Was anything hard or frustrating?

“It was hard to read privacy policies; they were really long and boring.”

Was it hard to sign up for some of the websites?

“If you are under 13, you are redirected to (the kid’s version of the website.)” Mom proceeded to explain that her son nonetheless managed to find a work-around.

What were some of the personal questions the website or app asked you?

“Where do you go to school? What’s your address?”

“It asked if you’re a student or a teacher.”

“It asked what gender you were.”

“Date of birth.”

“(On one website), if you typed in your real name, it wouldn’t take it or any short form of the name.”

“My photo.” (Mom added: “I wouldn’t let him. I shut it down real fast.”)

“It asked for what grade you were in.”

“(One website) asked for your picture but we just used a picture of a penguin that was already saved on the computer.” (Mom added: “But then it encouraged you to use a real picture.”)

Boy at computer.Did you always understand what the website or app was asking for?

“When I was working on (one website), I thought there were games made by other people that you could play but it was just shopping. That’s where there was the long and boring parts.”

Did any websites or apps tell you to go get a parent to help you?

“Before you were able to get on (one website), they send an email to your parent.” Mom added: “And the parent had to confirm.”

“On one website there’s a privacy mode so if you’re under 13, you can’t change it. If you want to change your age, you have to ask a parent by email.”

Did you ever click on something that led you to a totally different website?

“I was on (one website) and there was this little thing on the top of the page that said ‘are you a boy or a girl.’ It didn’t really look like an ad but it was just like a little thing with a picture and so, of course, we clicked on it and it went to another game website and it showed you a trailer.” Mom added that it was “teen rated” and included a warning that the content contained “violence, blood, partial nudity and alcohol.”

If you had to sign up for an account, did the website or app make it easy to delete your account when you were done?

“I was on (one website) and there was an option to delete the account and it deleted right away.”

Did anybody have trouble?

“A little bit. You had to email the company to delete it.”

– – – – –

Days after the Kids Sweep we got some great feedback from one of our parental sweepers who quipped that her kids are now tattling on each other for failing to read privacy policies. She added:

“They had a really good time and learned a lot about thinking critically when it comes to their personal information. If the result is that they make one brighter choice about their own privacy, then it was 100 percent worth it to me.”

It was this very comment that inspired one of our post-Sweep follow-up activities. The OPC has drafted a classroom activity for Grade 7 and 8 teachers across Canada based on our 2015 Kids Sweep.

We’ve simplified the Sweep form used to assess the privacy communications of apps and websites and are encouraging teachers to conduct privacy sweeps with students using the forms as a way to kick off a discussion about online privacy and the protection of personal information.

Alone or in groups, we are encouraging students to “sweep” their favorite apps and websites, to learn how to read privacy policies, to learn about tracking, the different types of personal information that might be collected and to discuss their observations with their teacher and peers. We’ve also provided a take-home tip sheet dubbed Pro Tips for Kids: Protecting Your Privacy for students and their parents.
Mother and daughter at computer.

Note to teachers: you can find the classroom activity on our website. As for parents and guardians, if it’s not something your kids are learning in school, think about adapting the lesson plan as a rainy Sunday afternoon activity!

Intimate, controversial or embarrassing photos and comments can have a lasting impact on a person’s reputation. Today, digital literacy as is as important as learning your ABCs and kids who understand and implement safe online privacy practices are less likely to make the sort of mistakes that could haunt them in the future.

Click here for more on the results of this year’s Children’s Privacy Sweep.


9 Sep 2014

From APP-laudable to dis-APP-ointing, global mobile app privacy sweep yields mixed results


Back in May, the Global Privacy Enforcement Network (GPEN) embarked upon its second annual Privacy Sweep, this time with a focus on mobile apps.

The Office of the Privacy Commissioner of Canada coordinated 25 other privacy enforcement authorities across the country and around the globe, in an assessment of the privacy communications of some 1,211 apps designed for both tablets and smartphones in a bid to find out which of them left our sweepers most at ease in terms of how their personal information was being collected and used.

By downloading and briefly interacting with the apps, this exercise was meant to recreate the consumer experience. Our sweepers ultimately sought to assess transparency based on five key indicators:

  1. Prior to installation, did the app explain how it would collect, use and disclose personal data via a privacy policy, app marketplace description or through some other communications tool?
  2. Which permissions did the app request access to and did the app explain why? For example, did it seek permission to access your identity/accounts, (which may include email address, Twitter handle and Facebook username, but not the information stored in those accounts); location, (based on nearby cell towers, GPS or nearby WiFi networks); photos/media/files, (which can include music, movies and other files stored on your device); camera/microphone, (which could allow the app to turn on and capture data from the phone’s camera and/or microphone, hopefully with the user’s knowledge and consent); device ID/call information (including phone number and an indication of when the user is on the phone and with whom, a request often made by games that wish to pause when the phone is engaged); and device/app history, (often used to perform diagnostics after a crash but that can include sensitive information like log data, web bookmarks and history, which apps are running on the device and other system information.)
  3. Did the sweeper feel that the permissions being sought went beyond what they expected based on the app’s functionality?
  4. Were the app’s privacy communications tailored to be read on a small screen?
  5. Overall, how satisfied was the sweeper with the privacy communications? How well did the app explain the permissions and how it collects, uses and discloses the associated personal information?

At the end of the day, users can only provide meaningful consent to the collection of their personal information if they are well informed as to how that information will be used.

In total, our Office examined 151 apps, for both Android and iOS platforms, that are popular among Canadians. About three-quarters of them were free, while the remaining ones were paid apps. Our assessment included a significant number of games, as well as health and fitness apps, news and magazine apps, and social networking apps.

We believe it’s important to share specific results from our Sweep, as we did last year, so Canadians can better understand our conclusions.

But before we start, let’s be clear: The Sweep was not intended to conclusively identify compliance issues or possible violations of privacy legislation. It was also not meant to be an assessment of the apps’ privacy practices in general, nor was it meant to provide an in-depth analysis of the design and development of the apps examined.

We haven’t conducted a formal investigation and we’ve chosen the following play on words to give you a general sense of how our sweepers felt about the apps during the experience.

With that, here are some examples of apps with the most APP-laudable, L-APP-luster and Dis-APP-ointing privacy features.

 

APP-LAUDABLE

On a scale of 0 to 3, our sweepers gave 28 per cent of apps top marks for providing timely, clear, concise explanations of their privacy practices.

In general, these apps made their privacy policies available on their website, their marketplace listing and within the apps themselves. The policies were, for the most part, consistent throughout and clearly explained how the apps would collect, use and disclose personal information.

Among the positive examples identified:

Shazam

This free app ranked 5th among music app downloads in Canada according to the popular Distimo Apple Store app chart the month of our sweep. Shazam will listen to a song or television show playing in the background and identify what it is you’re listening to or watching.

The app requests a number of permissions, including access to identity (accounts), location, photos/media/files, camera/microphone and device ID/call information.

Our sweepers were singing the praises of this app because its privacy communications provided clear explanations of individual permissions that left them with a generally positive feeling about how their personal information would be used.

For iOS, the app uses just-in-time notifications prior to accessing information, like in the example below which outlines why the app needs access to the microphone. On the Android marketplace listing, sweepers noted there’s a handy link that explains why the app needs to collect certain information. It’s appropriately dubbed: “Why does Shazam need these app permissions?”

Shazam on iOS

Shazam on Android permissions explained

Shazam on Android permissions breakdown

 

Fertility Friend: Ovulation Calendar

This free, made-in-Canada app was downloaded as many as 1 million times by Android users alone. It allows users to input cycle-related information to help track their fertility.

Sweepers were particularly pleased that this app explained not only what it would do with the information it collected, but also what it would NOT do.

For example, the app acknowledges that the type of information it collects is “extremely sensitive,” and promises not to “sell or transmit to others any personally identifiable data” entered on the site. A separate link explains that the site charges for premium services to avoid having to rely on advertisers for revenue.

Sweepers also noted the app’s privacy policy was well formatted for the small screen.

Fertility Friend on Android

As you can see from this colour-coded screen that displays menstrual cycle, fertile days and intercourse, users are required to input some pretty intimate details. These excerpts from the privacy policy, however, are quite clear about what the app will not do with that information and why.

Fertility Friend on Android

Fertility Friend privacy policy

Trip Advisor: City Guides

This popular free travel app has been downloaded more than 1 million times by Android users alone. It creates travel itineraries and offers reviews of restaurants, attractions and hotels in various cities.

Sweepers noted that the app did not provide a link to its privacy policy on either platform’s app marketplace. The policy was, however, available prior to installation on Trip Advisor’s website and in-app on Android and iOS.

The app ultimately earned APP-lause from our sweep team for tailoring its privacy communications to the app and to the small screen. The privacy policy is in an easy-to-read font and is well-structured, with a table of contents comprised of a list of explanations that users can click on to obtain more information (see the Android screenshot below for a list of hyper-linked privacy policy topics). The policy also provides a separate explanation for information collected by Trip Advisor apps on a mobile device (see iOS screenshot below).

TripAdvisor on Android

TripAdvisor on iOS

Our sweepers also gave a shout out to Trip Advisor last year when they examined the company’s website, and found its privacy policy went the extra step by offering users a detailed explanation of its “Instant Personalization” feature. The feature uses information provided by Facebook to give the user a more customized experience. The company’s explanation not only detailed what information was collected and how it was being used, but also provided instructions on how to enable and disable the feature.

L-APP-LUSTER

A significant number of apps earned praise from our sweepers for some of their privacy communications, but missed the mark in other areas.

Among them:

Trials Frontier

This free app ranked 14th overall in Canada the month before our sweep, according to Distimo’s Apple Store app chart. It’s a motorcycle racing game that allows users to compete against friends and strangers around the world.

This app makes its privacy policy available on the Google Play marketplace but not on Apple’s App Store. Also, it’s tough to locate the privacy policy on the developer’s website for iOS. Initially, users are directed to a page of game ads.

For the most part, sweepers felt the app did explain how it would collect, use and disclose personal information. The policy is fairly detailed and organized under useful headings like “what personal information does (the company) collect,” “how will my personal information be used and by whom,” and “what safeguards does (the company) use to protect my personal information.”

But this racing app earned some unwanted demerit points for failing to tailor to the small screen. On the iOS platform shown below, the privacy policy strained sweepers’ eyes, and when they zoomed in, they were forced to scroll horizontally, as well as vertically, which is cumbersome and not particularly user friendly.

Ubisoft privacy policy on Android

Ubisoft privacy policy on iOS

Guess the Emoji

This free app reached No. 48 overall in Canada the month before our sweep, according to Distimo’s Apple Store app chart.  It’s a fill-in-the-blank word game.

According to sweepers, the app seeks permission to access identity (accounts), photos/media/files and device ID/call information, among other things. The app’s privacy policy expanded on this to say that the company “may gain access to some personal data through third-parties or affiliates,” including access to “financial information such as credit card or bank account numbers and “information related to your current living accommodations.” Sweepers wondered what exactly this could mean.

The policy also provided a laundry list of potential uses of personal information, but sweepers were still perplexed as to why the app needed all those details for such purposes.

Their discomfort was only exacerbated by the policy’s explanation of the wide-ranging circumstances pursuant to which such information might be disclosed. It said, for example, that the company “may sell or rent your personal information to third parties for marketing purposes without your explicit consent.”

While it is good that the company provided a detailed explanation of the information it may collect and how it may be disclosed, privacy practices need to be justified, not just stated.

Guess the Emoji screenshot 1

See for yourself what this app proposes to do with the personal information it collects in these two screen grabs of the developer’s privacy policy.

Guess the Emoji Screenshot 2

DIS-APP-OINTING

Approximately 26 per cent of apps left our sweepers with a real sense of discomfort in terms of how they conveyed their privacy practices and, in some cases, with respect to what they said they might do with the personal information collected.

Among them:

Super-Bright LED Flashlight

This free app made it to No. 17 overall in Canada on Distimo’s top Google Play Store app chart the very week of our sweep. It allows users to turn their mobile phone into a flashlight.

The app sought permission to access the user’s camera/microphone, device ID/ call information and even photos/media/files. Besides the camera flash function, it was not made clear to sweepers why the app would need all that information to operate a flashlight.

Sweepers found no link to a privacy policy in the app’s Google Play marketplace listing so they followed a link to the “developer’s website,” which led them to a “domain parking” service. The website contained no content, except for two links, one of which was for individuals who may be interested in buying that website’s domain name – i.e. the point of domain parking. The other link took users to the privacy policy of the domain parking company, which contained nothing about the flashlight app’s collection, use and disclosure of personal information.

Without a clear and accessible policy outlining how their personal information would be used, this flashlight app left our sweepers in the dark!

 

Super-Bright LED Flashlight on Android

This image taken from an Android device shows the large number of permissions sought by this flashlight app.

Pixel Gun 3D

This free app reached No. 18 among game downloads in Canada on Distimo’s top Apple Store chart the month before our sweep. It is a multiplayer, pixel cartoon shooting game that allows users to create and customize their own characters.

This app seeks permission to access device ID/call information, device/app history and photos/media/files, among other things, but there is no privacy policy available on this app’s marketplace listing, on its website or within the app itself.

While there is no privacy policy, a “terms of use” policy available in-app, speaks to granting the developer full control over user content. This includes the ability to “sublicense and assign to third parties and a right to copy, reproduce, fix, adapt, modify, improve, translate, reformat, create derivative works from, manufacture, introduce into circulation, commercialize, publish, distribute, sell, license, sublicense, transfer, rent, lease . . . your user content . . . in connection with our provision of the game, including marketing and promotions . . .” It adds that the license granting the company this unlimited access to user content will only end once the user deletes their content or uninstalls the game, unless it’s been shared with a third party that has not deleted the information. Furthermore, the policy notes that the content “may persist in back-up copies for a reasonable period of time.”

Not only did sweepers find the terms of use policy long and legalistic, an oft-cited complaint during last year’s sweep that’s particularly challenging on the small-screen, they also found it very difficult to read as it was written in a tiny white font over a colourful, moving, animated background and required significant scrolling.

Sweepers ultimately felt the app’s privacy communications left much to be desired and, given the potentially personal nature of the permissions, they were uncomfortable using the app.

 Pixel Gun 3D on iOS

It’s best to think of our sweep as a snapshot in time. Apps are constantly evolving. While our sweepers assessed and reassessed each app over these last few months in the interest of quality control, each examination either raised new questions or answered old ones.

At the end of this experiment, one thing is clear to our sweepers: privacy communications are fluid and the level of accessibility will depend on user know-how, the platform being used (e.g. Android, iOS or BlackBerry) and the type of device, whether it’s a Lenovo tablet, an iPad or a Samsung Galaxy smartphone.

Nevertheless, we wanted to provide you with some concrete examples of what we found during our sweep.

Once we’ve finished sorting through our results, in conjunction with our provincial and international partners who are doing the same, we will determine any appropriate follow-up action.

As with last year’s sweep, our follow-up activities will include reaching out to organizations to inform them of our findings and making suggestions for improvements. We also have the option to pursue enforcement action.

Full disclosure: we wrote to the companies mentioned in the blog a week before posting to share our concerns. So far Random Logic Games/Conversion LLC, the maker of Guess the Emoji, has committed to making positive changes.

 


7 May 2013

A First-Person-Sweeper Perspective


OPC internet privacy sweep

Yesterday, our Office participated in the first ever international internet privacy sweep. An initiative of the Global Privacy Enforcement Network (GPEN), the sweep is a coordinated effort among a number of data protection agencies to address a particular privacy issue. This year’s sweep assessed transparency online.

I was one of about 20 OPC employees who spent part of the day “sweeping” – visiting sites from a list we had compiled of over 1000 websites popular among Canadians. Our task: to review the privacy policies of popular websites from the point of view of the average consumer, and determine whether we could find out about an organization’s information handling practices, raise questions or concerns with an organization about their information handling practices, and understand their privacy policies.

Many of us sat at networked laptops in a small boardroom we dubbed “The Broom Closet”. Armed with coffee and spreadsheets, we clicked our way through privacy policies, checking for readability, counting words, and taking note of “Bouquets” (elements of privacy policies we felt were done well) and “Turnips” (elements of privacy policies that could be improved).

Through GPEN, the results from all of the sweeps conducted this week will be analyzed and results will be made public sometime in the coming months.

I spent the morning looking at popular kids’ websites. Some observations:

Privacy policies on children’s websites are written for parents, not kids.

In order to operate in the U.S., sites targeted to kids need to be compliant with the U.S. Children’s Online Privacy Protection Act (COPPA).

Operators of kids’ sites might aim to create privacy policies that are robust and comprehensive but in doing so, their privacy policies can risk being long, complex and legalistic.

Even so, some of the sites I visited clearly took some extra effort to break down their policies in order to meet the requirement under COPPA that privacy policies be “clear and understandable” – either by organizing information into hyperlinked chunks or tables, or providing summaries with links to the full policy below.

I can appreciate the challenge these sites face – on the one hand, they must demonstrate compliance; on the other hand, parents of kids who use these sites want to make informed decisions about their information. And parents often need to make those decisions quickly, or with other immediate priorities competing for their attention.  How many of you have tried to make heads or tails of a new game your child wants to play, while breaking up a fight over who gets to use the iPad, while sweeping up goldfish crackers and Cheerios? (Not that this happens in my house, ever.)

When you consider that researchers have estimated it can take people up to 250 hours to read all of the privacy policies they encounter in a year, wouldn’t it be nice to see a privacy policy that tells you what you need to know, but also helps shave a couple of minutes off?


4 Apr 2011

OPC Hosts International Group – Monitoring Risks and Highlighting Opportunities


Our Office is pleased to be hosting the 49th meeting of the “Berlin Group”, more formally known as the International Working Group on Data Protection in Telecommunications, which takes place today and tomorrow, in Montreal. This is the first time that this Group has met in Canada. Participants in the meeting, representing more than 20 international data protection and privacy authorities, will be focusing on privacy-related topics such as electronic payments, vehicle event data recorders and locational privacy.

The Berlin Group was established in 1983 by the Berlin Commissioner for Data Protection and Freedom of Information. The Group has, through its continuing examination of the data protection and privacy implications of telecommunications-based systems and services, developed into what the current Chairman and Berlin Commissioner, Dr. Alexander Dix, refers to as “an early warning system monitoring the risks arising from new technological developments, but at the same time, highlighting the opportunities of a privacy-friendly network architecture”.

The Group takes a very inclusive approach on what constitutes a telecommunications-based system or service. Over the years, this has resulted in a detailed examination of a broad range of subjects, everything from search engines and location-based services to social network services and road pricing systems.


3 May 2010

Transparency, search engines and government appetite for data


There has been a long-standing debate between privacy advocates and government officials about the extent of government interest in the information transmitted across domestic and international networks. The passage of USA PATRIOT Act intensified this debate and prompted concern from a more general audience as well. Ever since, the digerati and online crowd have been whispering and wondering about the interface between search engines, particularly Google, and law enforcement and national security bodies.

In brief, this comes up in classrooms and at conferences in roughly the following exchange:

Q. “So, should I worry about what Google knows about me?”

A. “Maybe, but I’d worry more about what the government gets out of Google, then matches with what they already know about you.”

Around this issue, researchers like Chris Soghoian in the US (as well as Ben Hayes and Simon Davies overseas) have been pushing for greater transparency from both companies and government on the use of broad data production powers.  Last week, to their great credit, Google took a big first step and published an interactive map on the numbers and types of data requests they recieve from governments around the world.  This coincides with another important US private sector push – Digitaldueprocess.org – that is asking for clear, consistent and accountable measures to be put in place when government ask companies to ‘check up’ on their customers.

We commend Google and others involved for this significant first step, look forward to improvements and more details as they tweak the reporting model and sincerely hope other companies (and, ahem! governments) follow suit.


4 Nov 2008

Freedom Not Fear Day


Photo of a crowd from Freedom Not Fear dayOn October 11, In 22 cities across Europe, citizens demonstrated to express their concerns over what they see as the increasing growth in government-created surveillance societies. October 11 was Freedom Not Fear Day, organized by the German Working Group on Data Retention.

In Berlin alone, over 15,000 protesters gathered in a rally that ended at the Brandenburg Gate. (The organizers have argued that 15,000 is a lowball number from the authorities, and the actual number could be closer to 50,000.) Peaceful and creative action took place throughout Europe, including art performances in Vienna, public lectures in Rome, and the construction of a collage made from uploaded photos of UK surveillance equipment and tactics in London.

From the website of the German Working Group on Data Protection:

“Surveillance mania is spreading. Governments and businesses register, monitor and control our behaviour ever more thoroughly. No matter what we do, who we phone and talk to, where we go, whom we are friends with, what our interests are, which groups we participate in – “big brother” government and “little brothers” in business know it more and more thoroughly. The resulting lack of privacy and confidentiality is putting at risk the freedom of confession, the freedom of speech as well as the work of doctors, helplines, lawyers and journalists.

The manifold agenda of security sector reform encompasses the convergence of police, intelligence agencies and the military, threatening to melt down the division and balance of powers. Using methods of mass surveillance, the borderless cooperation of the military, intelligence services and police authorities is leading towards the construction of “Fortresses” in Europe and on other continents, directed against refugees and different-looking people but also affecting, for example, political activists, the poor and under-priviledged, and sports fans.

People who constantly feel watched and under surveillance cannot freely and courageously stand up for their rights and for a just society. Mass surveillance is thereby threatening the fabric of a democratic and open society. Mass surveillance is also endangering the work and commitment of civil society organizations.

Surveillance, distrust and fear are gradually transforming our society into one of uncritical consumers who have “nothing to hide” and – in a vain attempt to achieve total security – are prepared to give up their freedoms. We do not want to live in such a society!

We believe the respect for our privacy to be an important part of our human dignity. A free and open society cannot exist without unconditionally private spaces and communications.”

In the United States, Freedom Not Fear Day was supported by a number of NGOs, including the Electronic Frontier Foundation (EFF) and the Electronic Privacy Information Center (EPIC). Together, they issued a release calling for an end to watch lists and data profiling programs that fail to comply with the federal Privacy Act, the establishment of comprehensive data protection legislation, and the repeal of the Patriot Act.

But Freedom Not Fear Day was a decidedly more subdued affair in the U.S. Besides this endorsement and statement issued by EPIC, EFF and IP Justice, no other activities appear to have been scheduled to commemorate Freedom Not Fear Day in Washington D.C. Canadian activities were similarly subdued: the official website notes that a light projection was planned for Toronto’s City Hall but information on who organized it and how it turned out couldn’t be found.

Granted, the roots of Freedom Not Fear Day are in Berlin and the global day of action seems to have spread to other European capitals but it’s interesting to note that North Americans seem reluctant to stand up to the notion of “security theatre“.


29 Jul 2008

Privacy for the next decade, not next week


Is the privacy community weakening its influence by concentrating on the incidents and obsessions of everyday life? By reacting to decisions made by individual companies, by focusing on specific technical challenges and eventually acceding to the creation of tools that both solve those technical challenges and enable the gradual erosion of our right to privacy, are we behaving shortsightedly?

Are we focusing on the street signs and landmarks that dominate our behaviour as individuals, rather than helping identify and lay the roads that will guide the development of our society?

That’s the question posed by Professor Ian Kerr of the University of Ottawa at a private function in Edmonton last month. Speaking to an audience of Privacy Commissioners, Assistant Privacy Commissioners and senior privacy advocates, he worried that:

“… idealism is no longer in vogue. … My concern is that we in the privacy advocacy community are taking approaches that shrink any space for idealism; and that, as a result, we in the privacy community are, quite unintentionally and inadvertently, undermining ourselves. We are creating for ourselves a kind of silence through which we will no longer be heard.”

Professor Kerr went on to cite Langdon Winner, writing in 1980’s Autonomous Technology:

“Shielded by the conviction that technology is neutral and tool-like, a whole new order is built – piecemeal, step by step, with the parts and pieces linked together in novel ways – without the slightest public awareness or opportunity to dispute the character of the changes underway. It is somnambulism (rather than determinism) that characterizes technological politics… Silence is its distinctive mode of speech.”

Many privacy protection authorities, whether provincial, federal or international, find that most of their time and energy is occupied protecting the privacy rights of individuals, on a case by case basis. This is a result of their mandate to enforce specific legislation, the processes established within each office, and the natural impulse to ensure an individual’s rights are protected, errors are corrected and wrongs are addressed.

Nevertheless, it is undeniable that privacy advocates – especially Privacy Commissioners – have an obligation to look beyond the transaction and to observe the trend, to anticipate challenges to our privacy rights and prepare counter arguments.

The text of Professor Kerr’s speech is available, as well as the audio.


7 Feb 2008

Hitting the Delete key – not as easy as we like


We’ve blogged here before about the burgeoning data portability movement. The appealing aspect of data portability is that it would make it easy for us to essentially copy and paste our personal information from one place into a new place.

But another aspect of data portability could and should be the ability to move your personal information right off the Internet altogether. Jean Burgess, a researcher based in Australia, recently blogged about the frustrations of removing herself from the social networking site Facebook. She writes:

“Oh, and by the way, in order to delete your Facebook account, apparently, you have to not only deactivate it, but also delete every single item you have contributed to the site (messages, wall posts, posts other people have written on your wall, photos, links to contacts, profile information) and then email customer service and request they delete your account completely. Oh, and also, in order to delete absolutely everything, I’d also have to re-add every single one of the applications I’ve ever had installed, and then go through and remove the content, and then delete the applications again. Because when you delete an application, guess what? Your data is still stored there somewhere.”

Sites like this (and the software developers that partner with them) don’t make it easy to take back your digital footprint. And they likely won’t change their practices until a critical mass of users start to clamour for change.